How to configure a data retention policy for individual tables in Log Analytics
As you know, each Workspace has a default retention policy that applies to all tables. But you can set a different retention policy on individual tables if you desire. In this post, I want to show you how to configure a data retention policy for individual tables in Log Analytics using Azure CLI. Retention policies define when to delete or archive data in a Log Analytics workspace. Archiving allows you to keep older, less-used data in your Workspace at a reduced cost.
- Interactive retention: This is when your data will be available for interactive queries. You can keep data on interactive retention between 4 and 730 days.
- Total retention period: This is a sum of the interactive and archive periods. You can set the archive period for a total retention time of up to 2,555 days.
Important: You cannot set retention policies for individual tables in workspaces on the legacy free trial pricing plan.
Prerequisites #
- This tutorial assumes that you already have a Log Analytics Workspace. You can use an existing Workspace, or if you want to create a new one, check out this link.
Azure CLI Workaround #
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.
resourceGroupName="RG-DEMO-HUB"
logAnalyticsName="LAW-DEMO-HUB"
List all the tables in the Log Analytics workspace #
First, use the following command to list all the tables in your Workspace. In it, you can see the name of the table and the corresponding log retention.
az monitor log-analytics workspace table list \
--workspace-name $logAnalyticsName \
-g $resourceGroupName \
-o table
Update the log retention of a Log Analytics workspace table #
Once you locate the table you want to modify, run the following command passing the desired values for the --retention-time and --total-retention-time parameters.
az monitor log-analytics workspace table update \
--name 'Alert' \
--workspace-name $logAnalyticsName \
-g $resourceGroupName \
--retention-time 90 \
--total-retention-time 180
- --retention-time This is the period that your data will be available for interactive queries. You can keep data on interactive retention between 4 and 730 days.
- --total-retention-time This is a sum of the interactive and archive periods. You can set the archive period for a total retention time of up to 2,555 days.
If you want to reset the Workspace’s default interactive retention values to the table and reset its total retention to 0, you should use the following command.
az monitor log-analytics workspace table update \
--name 'Alert' \
--workspace-name $logAnalyticsName \
-g $resourceGroupName \
--retention-time -1 \
--total-retention-time -1
Check the changes made #
Once you have performed the steps in the previous step, use the following command to verify that the changes have been applied correctly.
az monitor log-analytics workspace table show \
--name 'Alert' \
--workspace-name LAW-DEMO-HUB \
-g RG-DEMO-HUB \
-o table
Thanks for reading my post. I hope you find it helpful. If you want to know more about Log Analytics workspaces and data retention, check out this link.